4 Jhanwar-Barua's IBE Scheme and Other Variations
Tải bản đầy đủ - 0trang
Security of Identity-Based Encryption Schemes
73
Lemma 1 [14]. If (x1 , y1 ) ∈ Z2n is a solution to the congruence QCn (a, S1 ) and
(x2 , y2 ) ∈ Z2n is a solution to the congruence QCn (a, S2 ), then (x1,2 , y1,2 ) ∈ Z2n
is a solution to the congruence QCn (a, S1 S2 ), where
x1,2 =
x1 + x2
y1 y2
mod nandy1,2 =
mod n,
ax1 x2 + 1
ax1 x2 + 1
(4)
provided that (ax0 x1 + 1, n) = 1.
Moreover, x1,2 ∈ Z∗n if and only if (x1 + x2 , n) = 1.
Now we are able to describe the IBE scheme proposed by Jhanwar and Barua
[14]. In this scheme, Q(n, a, S) is the probabilistic algorithm described above to
ﬁnd solutions to congruences QCn (a, S)).
Jhanwar-Barua IBE (JB IBE) scheme [14]
Setup(λ): Generate (p, q) ← RSAgen(λ), compute n = pq, generate e ∈
Jn \ QRn , and choose a hash function h : {0, 1}∗ → Jn . Output the public
parameters P P = (n, e, h); the master key msk = (p, q, K) is the factorization of n together with a random key K of some pseudo-random function
FK : {0, 1}∗ → {0, 1, 2, 3} (FK chooses one of the four square roots of h(ID)
or eh(ID));
Extract(msk, ID): The private key is r = rj , where j = FK (ID) and r0 , r1 , r2 , r3
is an ordering of the square roots modulo n of h(ID) or eh(ID), depending
on which of them is a quadratic residue modulo n;
Encrypt(P P, ID, m): Assume m = m0 · · · m −1 is the -bit sequence to be
encrypted. The encryption process is as follows:
– Compute a = h(ID);
√
– Compute k =
;
– For i := 0 to k − 1 do
• Randomly choose si ∈ Z∗n and compute Si = s2i mod n;
xi , y¯i ) ← Q(n, ea, Si );
• Compute (xi , yi ) ← Q(n, a, Si ) and (¯
• Compute ci = mi · 2si yni +2 and c¯i = mi · 2si y¯ni +2 ;
– For i := k to − 1 do
• Compute 1 ≤ α ≤ k − 1 and 0 ≤ β ≤ k − 1 such that i = α · k + β;
• Use Lemma 1 to compute yi from (xα , yα ) and (xβ , yβ ), and y¯i from
xβ , y¯β );
(¯
xα , y¯α ) and (¯
• Set si = sα sβ mod n;
• Compute ci = mi · 2si yni +2 and c¯i = mi · 2si y¯ni +2 ;
– Return (c, c¯, x, x
¯), where c = c0 · · · c −1 , c¯ = c¯0 · · · c¯ −1 , x = (x0 , . . . , xk−1 ),
¯k−1 );
and x
¯ = (¯
x0 , . . . , x
Decrypt((c, c¯, x, x
¯), r): The decryption process is as follows:
– Compute a = h(ID);
√
– Compute k =
;
– For i := 0 to k − 1 do
74
F.L. T
¸ iplea et al.
x r +1
x
¯ r +1
• If ai ∈ QRn then mi = ci · i nj
else mi = c¯i · i nj
;
– For i := k to − 1 do
• Compute 1 ≤ α ≤ k − 1 and 0 ≤ β ≤ k − 1 such that i = α · k + β;
• Use Lemma 1 to compute either xi from xα and xβ , or x
¯i from x
¯α and
x
¯β , depending on weather a or ea is a quadratic residue;
• If ai ∈ QRn then mi = ci ·
– Return m = m0 · · · m −1 .
xi rj +1
n
else mi = c¯i ·
x
¯i rj +1
n
;
The soundness of JB IBE scheme follows easily from how associated polynomials can be computed from solutions to congruences QCn (a, S) and from
Lemma 1.
As one can see, in the
√ JB IBE scheme the encryptor needs to solve 2k
, while the decryptor solves none. The ciphertext
congruences, where k =
length is 2 + 2k log n bits for a plaintext of bits.
Regarding the security of the JB IBE scheme, it was argued in [14] that the
scheme is IND-ID-CPA secure. More precisely, it was shown the following.
Theorem 6 [14]. For any eﬃcient IND-ID-CPA adversary A against the
JB IBE scheme there exist eﬃcient algorithms B1 and B2 , whose running time
is about the same as that of A, such that
IBEAdvA,JB
IBE (λ)
≤ P RF AdvB1 ,F (λ) + 2 · QRAdvB2 ,RSAgen (λ) +
1
,
2k
provided that h is modeled as a random oracle, the QR assumption holds for
RSAgen, and F is a secure pseudo-random function.
Unfortunately, the JB IBE scheme is totally insecure. The ﬁrst security ﬂaw
was remarked in [9] and it can simply described as follows. If i = α · k + β and
j = β · k + α, then yi = yj (according to Lemma 1). Therefore, the bits mi and
mj are encrypted by using the same Jacobi symbol. This allows an adversary to
easily win the IND-ID-CPA security game (in the challenge phase, the adversary
chooses two messages m0 and m1 such that m0 has identical bits on the positions
these positions). This security ﬂaw can be
i and j, while m1 has diﬀerent bits on √
and we combine (xi , yi ) with (xj , yj )
overcame if we choose k larger than
only for i ≤ j [9]. In fact, k should be the least integer satisfying k(k+3)
≥ .
2
Although we correct the JB IBE scheme as above, the JB IBE scheme is
still insecure because from x0 , . . . , xk−1 one can compute 2si yni +2 for all i [18].
Indeed, let (x1 , y1 ) be a solution to QCn (a, S1 ) and (x2 , y2 ) be a solution to
QCn (a, S2 ). By Lemma 1, (x1,2 , y1,2 ) is a solution to QCn (a, S1 S2 ), where x1,2
and y1,2 are as in the lemma. Then, if a ∈ QRn and r ∈ SQRTn (a) we obtain
(x1 r + 1)(x2 r + 1) ≡n ax1 x2 + 1 + r(x1 + x2 ) ≡n (ax1 x2 + 1)(x1,2 r + 1)
which leads to
x1,2 r + 1
n
=
x1 r + 1
n
x2 r + 1
n
ax1 x2 + 1
n
(5)
Security of Identity-Based Encryption Schemes
75
Moreover, if S1 , S2 ∈ QRn , s1 ∈ SQRTn (S1 ), and s2 ∈ SQRTn (S2 ) we also
have
2s1 s2 y1,2 + 2
n
=
2s1 y1 + 2
n
2s2 y2 + 2
n
ax1 x2 + 1
n
(6)
no matter a is a quadratic residue or not (see [18] for more details).
Now, it is straightforward to show that the JB IBE scheme is not IND-IDCPA.
In [9], Elashry, Mu, and Susilo tried to improve the upper bound in Theorem 6
by dropping the factor 1/2k by using Damgard’s assumption. This assumption
says that it is hard to predict the Jacobi symbol of the next integer of a polynomial length sequence of consecutive integers. More precisely, given a λ-bit RSA
knowing
modulus n and an integer a, it is hard to predict a+poly(λ)+1
n
a
,
n
a+1
n
,...,
a + poly(λ)
n
where poly is a polynomial.
In [9], Damgard’s assumption is used as follows. Let (x1 , y1 ) be a solution to
QCn (a, S1 ) and (x2 , y2 ) be a solution to QCn (a, S2 ). By using Lemma 1, these
two solutions can be combined into a solution (x1,2 , y1,2 ) to QCn (a, S1 S2 ). Then,
the authors claimed that, by Damgard’s assumption, the probability of getting
the Jacobi symbol
2s1 s2 y3 + 2
n
(7)
from the sequence
2s1 y1 + 2
n
,
2s2 y2 + 2
n
(8)
is 1/2 (s1 and s2 are square roots of S1 and S2 , resp.). Apart from the fact
that the authors in [9] consider Damgard’s assumption as a proved result (which
is not the case), Damgard’s assumption cannot be applied to this case because
in between 2s1 y1 + 2 and 2s2 y2 + 2 may exist an exponential (in the security
parameter λ) number of integers. Moreover, (6) shows clearly that the Jacobi
symbol (7) can easily be obtained from the Jacobi symbols in (8) (recall that a
can be publicly computed and x1 and x2 are known either from the ciphertext
or can be computed from the ciphertext).
Later [10], the same authors (Elashry, Mu, and Susilo) tried to reduce more
the number of congruences to be solved in order to get associated polynomials,
and proposed a JB IBE-like scheme. As they have used Lemma 1 to combine
solutions, the ﬂaw described above [18] still remains.
76
4
F.L. T
¸ iplea et al.
Conclusions
Designing an IBE scheme from quadratic residuosity, more space eﬃcient than
the Cocks scheme, is an interesting and valuable objective. The solution proposed
by Boneh, Gentry, and Hamburg comes with a very elegant idea: associated
polynomials. Unfortunately, their solution uses a quartic time-complexity deterministic algorithm to compute such polynomials from congruences of the form
ax2 + Sy 2 ≡ 1 mod n. The characterization proposed by Jhanwar and Barua
for the solutions to such congruences is a valuable mathematical achievement
that leads to eﬃcient probabilistic algorithms to compute solutions. Unfortunately again, this probabilistic algorithm cannot be used in conjunction with
the Boneh-Gentry-Hamburg scheme. The way it can be used to obtain IBE
schemes, proposed by Jhanwar and Barua, leads to insecure schemes. The insecurity is generated by the fact that the Jacobi symbol of a solution obtained by
combining two solutions can be derived from public elements from the Jacobi
symbols of the corresponding solutions.
Summing up, the only secure IBE schemes from quadratic residuosity are the
Cocks and Boneh-Gentry-Hamburg (BasicIBE) schemes (due to space limitation, our exposition did not take into consideration the anonymous variants of
these schemes).
References
1. Attrapadung, N., et al.: Relations among notions of security for identity
based encryption schemes. In: Correa, J.R., Hevia, A., Kiwi, M. (eds.) LATIN
2006. LNCS, vol. 3887, pp. 130–141. Springer, Heidelberg (2006). doi:10.1007/
11682462 16
2. Barua, R., Jhanwar, M.P.: On the number of solutions of the equation Rx2 +Sy 2 =
1( mod N ). Indian J. Stat. 72–A, 226–236 (2010)
3. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of
security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998.
LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). doi:10.1007/BFb0055718
4. Bellare, M., Sahai, A.: Non-malleable encryption: equivalence between two notions,
and an indistinguishability-based characterization. In: Wiener, M. (ed.) CRYPTO
1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999)
5. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian,
J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).
doi:10.1007/3-540-44647-8 13
6. Boneh, D., Gentry, C., Hamburg, M.: Space-eﬃcient identity based encryption
without pairings. In: Proceedings of 48th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2007, pp. 647–657. IEEE Computer Society,
Washington (2007)
7. Cocks, C.: An identity based encryption scheme based on quadratic residues. In:
Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363.
Springer, Heidelberg (2001)
8. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: Proceedings of
23rd Annual ACM Symposium on Theory of Computing, STOC 1991, pp. 542–552.
ACM, New York (1991)
Security of Identity-Based Encryption Schemes
77
9. Elashry, I., Mu, Y., Susilo, W.: Jhanwar-Barua’s Identity-Based Encryption Revisited. In: Au, M.H., Carminati, B., Jay Kuo, C.-C. (eds.) NSS 2014. LNCS, vol. 8792,
pp. 271–284. Springer, Berlin (2014)
10. Elashry, I., Mu, Y., Susilo, W.: An eﬃcient variant of Boneh-Gentry-Hamburg’s
identity-based encryption without pairing. In: Rhee, K.-H., Yi, J.H. (eds.) WISA
2014. LNCS, vol. 8909, pp. 257–268. Springer, Heidelberg (2015)
11. Goldreich, O., Lustig, Y., Naor, M.: On chosen ciphertext security of multiple
encryptions. IACR Cryptology ePrint Archive 2002:89 (2002)
12. Goldwasser, S., Cocks’ IBE scheme, bilinear maps. In: Advanced Cryptography.
MIT Lecture Notes, vol. 6876 (2004)
13. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–
299 (1984)
14. Jhanwar, M.P., Barua, R.: A variant of Boneh-Gentry-Hamburg’s pairing-free identity based encryption scheme. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008.
LNCS, vol. 5487, pp. 314–331. Springer, Heidelberg (2009)
15. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen
ciphertext attacks. In: Proceedings of 22nd Annual ACM Symposium on Theory
of Computing, STOC 1990, pp. 427–437. ACM, New York (1990)
16. Rackoﬀ, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and
chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576,
pp. 433–444. Springer, Heidelberg (1992). doi:10.1007/3-540-46766-1 35
17. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairings. In: Proceedings of Symposium on Cryptography and Information Security, Okinawa,
Japan, January 2000. Springer, Berlin (2000)
18. Schipor, A.: On the security of Jhanwar-Barua identity-based encryption scheme.
Personal communication (2016, submitted)
19. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R.,
Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg
(1985). doi:10.1007/3-540-39568-7 5
20. Watanabe, Y., Shikata, J., Imai, H.: Equivalence between semantic security and
indistinguishability against chosen ciphertext attacks. In: Desmedt, Y.G. (ed.)
PKC 2003. LNCS, vol. 2567, pp. 71–84. Springer, Heidelberg (2002)
Cryptographic Algorithms and Protocols
Long-Term Secure One-Round Group Key
Establishment from Multilinear Mappings
Kashi Neupane(B)
Department of Mathematics, University of North Georgia, Oakwood, GA, USA
knneupane@ung.edu
Abstract. A new concept of security, long-term security, was introduced
by Bohli et al. in 2007 as a security guarantee of a protocol even some
security assumptions become invalid after the completion of the protocol.
Following the notion of long-term security of Bohli et al., we present
a one-round long-term secure group key establishment protocol in the
random oracle model. The resulting solution is built on a multilinear
map and timestamps. The protocol also oﬀers integrity and strong entity
authentication. The proposed protocol remains secure if either a server,
who shares a symmetric key with each user, is uncorrupted or a Graded
Decisional Diﬃe Hellman problem is hard.
Keywords: Long-term security · Group key establishment · Multilinear
maps · Timestamps
1
Introduction
Key establishment protocol is one of the central areas of modern cryptography.
Once a common key is established, the key can be used for sending the large
amount of data within the group members in presence of adversaries. Before
public key cryptosytem was introduced, only symmetric key cryptosystems were
in use. These days, it is a common practice to construct a cryptosystem by using
either a symmetric key or a public key. There are advantages and drawbacks of
both cryptosystems. The major advantage of a protocol based on a symmetrickey cryptosystem is that it is very eﬃcient and easy to implement. The usual
requirement for the security of a symmetric cipher is that the cost of breaking the
scheme is close to exponential in the key length because its security is based on an
assumption that no better attack than bruit force search is known. On the other
hand, a protocol based on a public key cryptosystem is much more structured
as compared to a symmetric cipher because of algorithmic advances in solving
the underlying problem. The prediction of the cost of breaking the scheme is far
more challenging for public-key cryptography. The major drawback of a protocol
based on the former one is that a trusted server, a third party, knows the secret
key, whereas the major drawback of a protocol based on the latter one is that the
protocol is no more secure and useful in case the underlying harness assumption
breaks in the future. A long-term secure protocol is constructed based on two
c Springer International Publishing AG 2016
I. Bica and R. Reyhanitabar (Eds.): SECITC 2016, LNCS 10006, pp. 81–91, 2016.
DOI: 10.1007/978-3-319-47238-6 5
82
K. Neupane
hardness assumptions which are independent of each other. A combination of
two independent hardness assumptions keeps the protocol secure, even if one of
the hardness assumptions becomes invalid after the completion of the protocol.
Bohli et al. [3] introduced the concept of long-term security and proposed a
long-term secure two-party key establishment protocol. Their protocol requires
three rounds, and is based on Decisional Diﬃe-Hellman (DDH) assumption and
an assumption which is close to real-or-random indistinguishability of a symmetric encryption scheme. Later Mă
uller-Quade and Unruh [10] extended the notion
of long-term security in Universally Composable framework. Based on Bohli
et al. [3], Neupane and Steinwandt [12] proposed an authenticated long-term
secure three-party key establishment protocol based on Bilinear Decisional DiﬃeHellman (BDDH) assumption and real-or-random indistinguishability. Moreover,
Unruh [13] deﬁned a variant of the Universal Composability framework, everlasting quantum-UC, and showed that the concept of long-term security can
be implemented on secure communication and general multi-party computation
using signature cards as trusted setup. Neupane [11] presented a more eﬃcient,
two-round protocol, based on BDDH assumption and real-or-random indistinguishability. In this paper, we propose an authenticated long-term secure group
key establishment protocol based on an unauthenticated one-round protocol presented by Garg et al. [7] using timestamps proposed by Barbosa and Farshim [1].
We use Graded Decisional Diﬃe-Hellman (GDDH) assumption as an underlying
hardness assumption for public key cryptosystem, whereas the notion of real-or
-random indistinguishability has been used for the security of the underlying
symmetric cipher.
2
Preliminaries
As cryptographic tools we use a symmetric encryption scheme and a signature
scheme. As a mathematical tool we use Approximate Multilinear Mappings,
proposed by Garg et al. [7], which they have named as Graded Encoding System.
In this section, we review underlying cryptographic tools and the mathematical
tool.
2.1
Digital Signature Scheme
A digital signature is a method to sign a message electronically by a user which
can be veriﬁed by anybody later. A digital signature protects data from being
altered, respectively enables the detection of modiﬁcation. We quickly review the
deﬁnition of a signature scheme—for more details we refer to Menezes et al. [9].
Deﬁnition 1 (Signature Scheme). A signature scheme S = (K, S, V) is a
triple of polynomial-time algorithms:
– A probabilistic key generation algorithm K which takes the security parameter
1k as its input, and returns a key pair (pk, sk)—a public veriﬁcation key pk
and matching secret signing key sk;
Long-Term Secure One-Round Group Key Establishment
83
– A probabilistic signing algorithm S which takes message M ∈ {0, 1}∗ and
secret signing key sk as its inputs, and returns a signature σ on M ;
– A deterministic veriﬁcation algorithm V which takes a public key pk, a message
M , and a signature σ for M as its inputs, and returns 1 or 0, indicating
whether σ is a valid signature for M under the public key pk.
For pairs (sk, pk) output by K, we require that with overwhelming probability
the following condition holds: Vpk (M, Ssk (M )) = 1, for all messages M .
Deﬁnition 2 (Existentially Unforgeable Signature Scheme Under Chosen Message Attacks (UF–CMA)). A signature scheme S is said to be existentially unforgeable under chosen message attacks if for all probabilistic polynomial time adversaries A the following probability is negligible (in k):
P r[(pk, sk) ← K; (M, σ) ← ASsk (·) : Vpk (M, σ) = 1 ∧ (M, σ) = (Mi , σi )],
where Mi denotes a message submitted by A to Ssk (·).
2.2
Real-or-Random Indistinguishability
Based on one of Bellare et al. in [2], we present the concept of real-or-random
indistinguishability and we refer to the latter paper for a more detailed discussion. First we review the deﬁnition of symmetric encryption scheme and then
give the deﬁnition of real-or random indistinguishability.
Deﬁnition 3 (Symmetric Key Encryption Scheme). A symmetric key
encryption scheme SE = (Gen, Enc, Dec) is a triple of polynomial-time algorithms:
– A randomized key generation algorithm Gen on input of the security parameter
1k returns a secret key K ∈ {0, 1}∗ ;
– A randomized encryption algorithm Enc on input of a secret key K and a
message M ∈ {0, 1}∗ outputs a ciphertext C ∈ {0, 1}∗ ;
– A deterministic decryption algorithm Dec which takes the key K and a ciphertext C as its inputs, and outputs either a message M or an error symbol ⊥.
The scheme is said to provide correct decryption if for any secret key K and any
message M such that ciphertext C ← EncK (M ), it is the case DecK (C) = M .
To formalize the security notion needed later, we use a real-or-random oracle
EK (RR(·, b)) with the following properties: on input b ∈ {0, 1} and a plaintext
M ∈ {0, 1}∗ ,
– returns an encryption C ← EncK (M ) of M , if b = 1
– returns an encryption C ← EncK (r) of a uniformly at random chosen bitstring
r ← {0, 1}|M | , if b = 0.
84
K. Neupane
For a ppt algorithm A now consider the following experiment where b ∈ {0, 1}
is ﬁxed and unknown to A: a secret key K ← Gen(1k ) is created, and A has
unrestricted access to EK (RR(·, b)). Further, A has access to a decryption oracle
DK (·) which executes DecK (·), subject to the restriction that no messages must
be queried to DK (·) that have been output by the real-or-random oracle. We
=
measure A’s advantage as the diﬀerence Advror−cca
A
Advror−cca
(k) := Pr 1 ← AEK (RR(·,1)),DK (·) (1k ) K ← Gen(1k ) −
A
Pr 1 ← AEK (RR(·,0)),DK (·) (1k ) K ← Gen(1k )
Deﬁnition 4 (Real-or-Random Indistinguishability). A symmetric
encryption scheme SE is secure in the sense of real-or-random indistinguishabilis negligible
ity (ROR-CCA), if for all ppt algorithms A, the advantage Advror−cca
A
(in k).
2.3
Brief Overview of Encoding System
The Graded Encoding System is based on various level encoding of an element of
a coset of a polynomial ring. After brief overview of the underlying mathematical
tools, such as construction of a polynomial ring, and its coset, we introduce
the notion of Graded Encoding System. We brieﬂy review the multilinear map
procedures, one of the fundamental tools of our key exchange protocol. Finally,
we review the security assumption, Graded Decisional Diﬃe-Hellman (GDDH)
assumption in which the protocol is based on. For more detailed information
about GDDH, we refer to Garg et al. [7] and Coron et al. [6].
Consider a polynomial ring R = Z[x]/xn + 1 with an integer n which is large
enough to ensure the security. One generates a secret short ring element g ∈ R
and generates a principal ideal I = g ⊂ R. An integer parameter q and another
random secret z ∈ R/qR are also generated. With the use of such parameters,
each coset e+I of the quotient ring R/I is encoded in multiple levels. The level-i
encoding of the element e + I is an element of the form [c/z i ]q , where c is an
element from e + I. Such encodings can be added and multiplied, as long as the
norm of the numerator remains shorter than q. More speciﬁcally, the product of
κ encoding of level 1 gives the encoding of an element in the level κ. For such
level-κ encodings, one can then deﬁne a zero-testing parameter, pzt = [hz κ /g]q ,
for some small h ∈ R. This zero-testing parameter is used to determine whether
a level-κ encoding c is zero or not by computing [pzt · c/z κ ]q = [hc/g]q . When c
is small the product [pzt · c/z κ ]q is small, while c is large the product [pzt · c/z κ ]q
is large. Hence, zero from non-zero can be distinguished. Moreover, using this
zero-testing parameter, two encodings of the two diﬀerent elements from two
encodings of the same element can be distinguished by subtraction.
Garg et al. [7] deﬁned their notion of an approximate multilinear map which
they call graded encoding system. In this notion, there are levels of encodings.
Ring elements α ∈ R are considered as plaintexts, α.g in the source group are
considered as level-1 elements, and a product of i level encodings represents leveli encodings. So, level-κ corresponds to the target group from multilinear maps.
Long-Term Secure One-Round Group Key Establishment
85
Now we review the deﬁnition of κ-graded encoding system and then GCDH
assumption from Garg et al. [7].
Deﬁnition 5 (κ-Graded Encoding System). A κ-Graded Encoding System
(α)
for a ring R is a system of sets S = {Si ⊂ {0, 1}∗ : α ∈ R, 0 ≤ i ≤ κ}, with
the following properties:
(α)
– For every ﬁxed i, the sets {Si : α ∈ R} are disjoint.
– There are binary operations + and − (on {0, 1}∗ ) such that for every α1 , α2 ∈
(α )
(α )
R, every index i ≤ κ, and every u1 ∈ Si 1 and u2 ∈ Si 2 , it holds that
(α1 +α2 )
(−α1 )
u 1 + u 2 ∈ Si
and −u1 ∈ Si
, where α1 + α2 and −α1 are addition
and negation in R.
– There is an associative binary association × on (on {0, 1}∗ ) such that for
(α )
(α )
every α1 , α2 ∈ R, every i1 , i2 with i1 + i2 ≤ κ, and u1 ∈ Si1 1 and u2 ∈ Si2 2 ,
(α ·α )
1
2
it holds that u1 × u2 ∈ Si1 +i
. Here α1 · α2 is multiplication in R, and i1 + i2
2
is integer addition.
2.4
Multilinear Map Procedures
Instance Generation. The randomized InstGen(1λ , 1κ ) takes the security parameters λ and κ, as its inputs and returns (params, pzt ), where params is a description of a κ-Graded Encoding System and pzt is a zero-testing parameter.
Ring Sampler. The randomized samp(params) takes a nearly uniform element
(α)
α ∈R R as its input, and returns a level-zero encoding a ∈ S0 , Note that the
(α)
encoding of a does not have to be uniform in S0 .
(α)
Encoding. The Enc(params, i, a) takes a level-zero encoding a ∈ S0 for some
(α)
α ∈ R and index i ≤ κ as inputs and returns the level-i encoding u ∈ Si for
some α.
Re-Randomization. The randomized reRand(params, i, u) rerandomizes encodings to the same level i, as long as the initial encoding u is under a given noise
bound.
Addition and Negation. Given params and two encodings relative to the same
(α )
(α )
(α +α )
level, u1 ∈ Si 1 and u2 ∈ Si 2 , we have add(params, u1 , u2 ) ∈ Si 1 2 and
(−α1 )
neg(params, u1 ) ∈ Si
, subject to bounds on the noise.
(α1 )
Multiplication. For u1 ∈ Si
u1 × u 2 ∈
(α ·α )
Si+j1 2 .
(α2 )
and u2 ∈ Sj
, there is mul(params, u1 , u2 ) =
(0)
Zero-Test. The procedure Zero(params, pzt , u) returns 1 if u ∈ Sκ
erwise.
and 0 oth-
Extraction. This procedure extracts a “canonical” and “random” representation of ring elements from their level-κ encoding. More speciﬁcally,
ext(params, pzt , u) outputs s ∈ {0, 1}λ such that: